Thanks a bunch. I'll give it a shot.
From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Fischer Sent: Friday, May 16, 2008 12:00 PM To: [email protected] Subject: [ossec-list] Re: "AND" operand for matching strings in rules One way to do it would be to set those strings you want to match as separate rules in a separate group. Match the first one, then use the <if_sid> tag for the subsequent ones. Also, make sure that all rules in the group except the last one have the noalert="1" property set. Something like this: <group name="mygroup"> <rule id="10001" level="0" noalert="1"> <match>String A</match> </rule> <rule id="10002" level="0" noalert="1"> <if_sid>10001</if_sid> <match>String B</match> </rule> <rule id="10003" level="10"> <if_sid>10002</if_sid> <match>String C</match> <description>Alert! All three strings matched</description> </rule> </group> Not necessarily the best way, but the only way I can think of. The noalerts are needed to keep those alerts from firing if you match, say, strings A&B but not C. On Fri, May 16, 2008 at 11:18 AM, Dan Denton <[EMAIL PROTECTED]> wrote: Hello list. I see in the docs there's an OR operand, but is there a way to match multiple strings in a rule using an AND operand without using regexes? Thanks... Dan
